Configure Site to Site IPSec VPN Tunnel between Cisco Router and Paloalto Firewall

One end of IPSec tunnel is a Paloalto Firewall with Static Public IP address and the other end is Cisco router with Dynamic IP address and behind an Internet modem. For the purpose of this article, 10.10.10.1 is considered as Static Public IP configured at Paloalto Firewall.

Configure Cisco Router

1.Configure ISAKMP (IKE) – Phase 1

ISAKMP is defined globally, that means if we have different ISKAMP Phase 1 policies configured, when router tries to negotiate SA with remote site, it will send all those ISKAMP policies and use the first one that matches both ends.

1

2

3

4

5

6

7

(config)# crypto isakmp policy 1

(config-isakmp)# encr 3des

(config-isakmp)# hash md5

(config-isakmp)# authentication pre-share

(config-isakmp)# group 2

By default, ISAKMP lifetime is 86400 seconds.

2.Configure Preshared Key

1

2

3

(config)#crypto isakmp key s@l@l@h11 address&nbsp;10.10.10.1

where 10.10.10.1 is the public IP address of the remote peer and s@1@1@h11 is the preshared key being used when Cisco router is trying to establish VPN connection with Paloalto peer device.